BlackBerry devices will be vulnerable to a serious security flaw until a patch is released

BlackBerry has issued a warning to users that devices and encrypted messaging services are vulnerable to a serious security vulnerability, and it has no fix in sight.

The Ontario, Canada-based phone maker said in an advisory, almost two weeks after the flaw was first discovered, that it does not have a fix in place for devices that are affected.

The FREAK flaw is a weakness in modern Web cryptography, which allows an attacker to potentially intercept encrypted traffic between a vulnerable client and server and force them into using weaker encryption that can be easily cracked. But despite knowing about the problem since the beginning of the month, the company said there are no current workarounds to prevent device data from being intercepted.

All versions of newer BlackBerry 10 devices, older BlackBerry 7.1 devices, and BlackBerry Enterprise Service 12 and earlier are affected by the flaw — essentially almost every product the company currently has on the market.

BlackBerry Messenger on Android, iPhones and iPads, and Windows Phone are also affected by the flaw.

“Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers,” the advisory warns.

“As fixes become available, this notice will be updated,” it read.

Every version of Windows is affected. Apple devices, including Macs, iPhones, and iPads (which are now patchable are also hit by the bug, along with Google’s Android operating system. Dozens of other device makers, including Cisco, are introducing patches and fixes for the bug.

BlackBerry devices have long been seen as the industry standard for encrypted messaging. US President Barack Obama has during his two terms held onto his trusty phone, despite warnings from the Secret Service to use a hardened, custom device.

The saving grace is that the back-end system, run by BlackBerry Enterprise Service, would require an attacker to compromise the user’s intranet. It also said that devices encrypting content before being sent over SSL, such as PGP or S/MIME, will “still be protected.”

Spokespeople for the company were not available at the time of writing.